One of the largest and most professional thieving operations on the Internet
- Date: July 29, 2009
- Author: Joe Stewart, Director of Malware Research for the Counter Threat Unit (CTU)
Clampi (also known as Ligats, Ilomo or Rscan) is a Trojan designed to steal credentials from infected systems. Joe Stewart, SecureWorks Director of Malware Research for the Counter Threat Unit (CTU), first delved into Clampi in 2007 and as a result, SecureWorks successfully implemented countermeasures beginning in 2007 to protect its clients against Clampi.
In early 2009, Stewart decided to launch a full-blown investigation of the very elusive Trojan because of its use of the psexec tools to spread. In recent months, Clampi has successfully spread across Microsoft networks in a worm-like fashion. Stewart predicts that hundreds of thousands of corporate and home pc users are infected with Clampi. Clampi is stealing a tremendous amount of data, including financial data, via infected corporate and home users.
See Washington Post’s coverage of Clampi victim Slack Auto Parts, which had approximately $75,000 stolen from the Clampi group in early July, 2009.
Stewart has identified 1,400 web sites, in 70 different countries, out of 4,500 sites being targeted by those behind Clampi. The Clampi Trojan is requesting information specifically from these sites, via the infected computer users.
Clampi’s recent success in infecting victims is accomplished by using domain administrator credentials (either stolen by the Trojan or re-used, or by virtue of the fact that a domain administrator has logged into an already infected system). Once domain administrator privileges are granted, the Trojan uses the SysInternals tool "psexec" to copy itself to all computers on the domain.
Clampi also serves as a proxy server used by criminals to anonymize their activity when logging into stolen accounts.
The Group and the Risk behind Clampi
Clampi is operated by a serious and sophisticated organized crime group from Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions. Any user whose system has been infected by Clampi should immediately change any and all passwords used on that system for any websites, but especially financial credentials.
How Clampi Works
Clampi uses a modular approach to stealing data, incorporating additional DLLs as needed to gain access to system and user information.
Encryption Used by Clampi Group
The traffic sent by Clampi to the command-and-control server is encrypted by 448-bit blowfish encryption, using a randomly-generated session key which is sent to the control server using 2048-bit RSA encryption.
How to Protect Against Clampi
Business Computer Protection
Most major anti-virus engines should be able to detect Clampi variants; however there is always a delay between a new Trojan release and the detection time. Given the prevalence and seriousness of the Clampi Trojan, it is recommended that businesses that carry out online banking/financial transactions adopt a strategy to isolate workstations where these activities are carried out from possible Clampi or other data-stealing Trojan infections.
This may include using a dedicated workstation for accessing financial accounts which is isolated from the rest of the local network and the Internet except for the specific financial sites required to be accessed. Since Trojans can also be spread using removable drives, systems should be hardened against auto run-type threats. Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts.
Home Computer User Protection
SecureWorks CTU recommends that home computer users use a computer dedicated only to doing their online banking and bill pay. They should not use that computer to surf the web and send and receive email, since web exploits and malicious email are two of the key malware infection vectors.